Fault attacks can be used, e.g., to compromise the security and integrity of data handling system, such as computer products. In particular, fault attacks are an area of concern for smart cards. A fault attack introduces a fault into the system during the system's operation, thereby causing the system to deviate from its programmed operation. In the past, fault attacks were commonly glitch attacks, such as induced on a power line, clock line or a reset line. More recently, light attacks have been found to be a relatively easy way of introducing a fault and disturbing the program flow of a microcontroller. A light attack is executed by flashing light on a surface of, e.g., an integrated circuit (IC), typically while the IC is operating.
Fault attacks are typically targeted on commands, such as conditional jumps or the test instructions preceding them. For example, fault attacks can be used to circumvent a verification of a PIN number in a smart card. If a user enters an incorrect PIN number, he/she can execute a fault attack at the moment the program is about to jump away to a routine for handling wrong PIN numbers. As a result of the fault attack the jump to the routine for handling wrong PIN numbers is not executed and the program continues as if the PIN number was correct. In this case the user gains, through the fault attack, the privileges associated with a correct PIN number, even though he/she only has possession of a wrong PIN number.
Other classes of security attacks that use fault attacks are those on cryptographic algorithms, such as used in, e.g., cryptographic protocols. For example, using the fault attack, an attacker can cause the algorithm to produce a wrong value. By analyzing the type of errors that occur in this manner, the attacker is, in some circumstances, able to deduce, e.g., a secret key. See, e.g., Boneh at al., “On the Importance of Checking Cryptographic Protocols for Faults”, 1997, Lecture Notes in Computer Science, volume 1233, pages 37-51. The latter attack is also known as the Bellcore attack.
Light attacks affect a read access to a memory, such as volatile memory, such as RAM, and non-volatile memory, such as Read Only Memory (ROM), EEPROM and Flash-memory. The effect of a light attack can be varied depending on the exact type of memory and the exact conditions. For example, in non-volatile memories, usually, it is not the content of the memory cell, which is changed by the light attack, but only the value that is read back, which is momentarily changed; after the light attack is over, the memory may return to its previous content, which content is not changed by the light attack. Depending on the exact conditions, the effect can be asymmetric, in that the bits tend to flip from one value more readily into another value than from the other value into the one value. As a further example, in volatile memory, a light attack may, depending on the focal point of the light attack, effect either a permanent change in the memory or a momentary change during reading.
A fault attack introducing a single uninterrupted stretch of faults will be referred to as a simple fault attack. A fault attack compromising a single read from a memory will be referred to as a short fault attack. A simple fault attack compromising more than one reading operation, e.g., a long light flash covering more than one reading operation, will be referred to as a long fault attack. A fault attack comprising multiple independent faults will be referred to as a multiple fault attack.
Published US patent application 20030204696: “Tamper-resistant method and data processing system using the same” discloses a method for preventing tampering of a data processing system, and is incorporated herein by reference.
The method according to US patent application 20030204696, involves a first reading of a data item from a region of the memory and a second reading of the data item from the region of the memory, the second reading immediately after the first reading, and determining whether the first reading and the second reading produced identical results. In case the results are not identical a fault has been detected. In this manner simple fault attacks covering only one of the two reads can be detected.
The method according to US patent application 20030204696 fails to detect a fault if the fault extends to both the first reading and the second reading, as the comparison may then not detect any difference. In particular, not all long fault attacks will be detected.
It is a problem of the prior art that fault attacks covering more than one reading operation from a memory, are not reliably detected.